reading

A book of any sort is never written alone, and that is certainly true of this book. The authors wish to thank everyone who contributed their time and effort bringing this work to fruition. Without their guidance, assistance, and never-ending patience, it would never have happened. Thank you.

The security of the data in our digital systems has dominated conversations throughout the cyber community in recent years. This conversation is prompted by the ongoing and escalating series of digital breaches that have affected business organizations, learning institutions, healthcare facilities, and government agencies. Hardly a week goes by that the media does not report on yet another cyber breach costing millions of dollars, which exposes personally identifying information (PII), and sullies the reputation of yet another organization or agency. Last year, according to some reports, there were over 40 million cyber-attacks, averaging over 100,000 per day—an increase of nearly 50 percent from the previous year (Bennett, 2014). The level of attacks in 2015 seem to be outpacing even that. In one attack alone on a government agency in the United States in early 2015, over 22 million records were stolen and tens of millions of records were lost during hacks of several healthcare services (Granville, 2015). The financial costs of these digital breaches are staggering. According to well-known U.K. insurer Lloyd’s, cyber-attacks are costing organizations over 400 billion dollars each year, and those costs are rising. These high-profile cyber breaches highlighted in the media gain a good deal of public attention, especially if—as with the SONY breach in 2014—there are celebrities involved (Gandel, 2015).

While the reports of such attacks are meaningful, as they tend to educate and alert the general public to the ongoing threats to our security, they often neglect a more important aspect—the cyber threats and attacks to our critical infrastructure, the foundations of which keep our society functioning. While we are inconvenienced when our credit card services are disrupted, or troubled at the prospect of our health records being made public, we fail to recognize the devastating impact to our society should a cyber-attack suddenly cut off our water supply, electricity, or other services we count on in our daily lives. Although they receive less media attention, attacks on our critical infrastructure are a serious concern. According to a recent survey, almost 90 percent of managers in critical sectors report attacks on their organizations, and nearly 50 percent believe it is likely that a cyber-attack on critical infrastructure within the next five years will result in the loss of lives. Our critical infrastructure is being attacked by those with malicious intent and is, by some accounts, more vulnerable than many believe. It must be protected.

In this book we will examine the 16 critical infrastructure sectors and how each has its own importance yet is strategically intertwined with others. We will also examine what the threats to these sectors are, who might be attacking them, how those attacks might take place, the measures that are being taken to protect them, and the governance that seeks to regulate that protection.

The nation’s critical infrastructure provides the essential services that underpin American society and serves as the backbone of our nation’s economy, security, and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family.

As identified by the United States government through “Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience,” there are 16 Critical Infrastructures. Listed alphabetically, they are: (1) the Chemical Sector, (2) the Commercial Facilities Sector, (3) the Communications Sector, (4) the Critical Manufacturing Sector, (5) the Dams Sector, (6) the Defense Industrial Base Sector, (7) the Emergency Services Sector, (8) the Energy Sector, (9) the Financial Services Sector, (10) the Food and Agriculture Sector, (11) the Government Facilities Sector, (12) the Healthcare and Public Health Sector, (13) the Information Technology Sector, (14) the Nuclear Reactors, Materials, and Waste Sector, (15) the Transportation Systems Sector, and (16) the Water and Wastewater Systems Sector (U.S. Department of Homeland Security, 2015).

Each of these sectors has commonalities with and differences from each other. They have all been identified as essential to the continuation of our society and are in many cases interwoven, yet the differences are that many are publicly- or privately owned and answer only to their stakeholders for operations. As such, each organization has been responsible for its own physical and cybersecurity to protect the physical and digital assets it is entrusted with. This has resulted in a piecemeal system of security measures customized to meet the particular needs of each individual sector. While the cybersecurity in these sectors varies from sector to sector, it generally entails the coordination and interplay of three well known areas: people, processes, and technology.

Done correctly, computer systems can be programmed not to make errors, whereas human beings inherently make mistakes. We are fallible creatures and often have errors in judgment that affect the decisions we make. We each have different needs, moral and ethical values, and thought patterns for making decisions that impact our organizations. To eliminate or at least reduce errors, organizations have instituted cybersecurity awareness training. Aside from providing training that will permit the members of an organization to recognize and deal accordingly with attempts to breach a system, it is desired that such training will help to establish a cybersecurity culture that protects data.

The employees that utilize a digital system must abide by rules and policies that have been put in place as a guide to prevent data loss. These cybersecurity policies should be all-inclusive with rules that cover, in detail, the functioning of the system. Emphasis should be on access control so that no one is permitted access to the system that they should not have. Policies and procedures should also define exactly who has what level of access and what activities that employee is permitted, including entry of coding and exfiltration of any data. “Least privilege,” or providing the least access as possible should be the key.

The technology to prevent a cyber breach is a key element in any successful cybersecurity program. However, it must be understood that technology alone cannot prevent hackers from breaching a system. A layered defense against hackers includes technology alongside people and process and can be effective in thwarting most intruders. Firewalls, anti-intrusion software, updated operating system software, and a well-monitored intrusion detection system (IDS) will make it difficult for bad actors to move within a digital system and disrupt operations.

While each of the critical infrastructure sectors is unique in their physical security, they do share commonalties in its cyber defenses. Well-defined policies, well-trained people, and proper technology are what they all have in common. The problem they all have is combining those assets in the correct formula to thwart cyber-attacks.